New threats compel DOD to rethink cyber strategy

The Defense Department’s widely heralded decision to create a new Cyber Command by October 2009 is still languishing in limbo. Confirmation hearings have yet to be scheduled for the prospective commander, National Security Agency director Army Lt. Gen. Keith Alexander. And efforts to kick-start the organization have been delayed by congressional concerns over the organization.

Meanwhile, adversaries working in the cyber domain aren’t sitting still. In December, hackers reportedly stole a classified PowerPoint slide deck that details South Korean and U.S. strategy for fighting a war with North Korea. And in Iraq, it was revealed that insurgents had intercepted Predator feeds using software they downloaded from the Internet.

Regardless of how quickly the Cyber Command moves forward, DOD is starting to shift its philosophic focus on network operations from information assurance to mission assurance — recognizing that as the Global Information Grid (GIG) comes under perpetual attack, efforts to deliver information services essential to operators will also need to shift from a focus on total network security to one of risk management.

To achieve that, information assurance experts say, DOD will need to concentrate on significant organizational and training issues as much as it does new technology. And it will need to address the lack of effective command and control for information assurance. That’s partially a technical issue, exacerbated by the diversity of network systems on which the GIG relies. But it also comes down to how DOD manages its networks and develops a concept of operations.

“With IA going forward, there are a lot of challenges,” only part of which is technology, said Tom Conway, director of federal business development at security software company McAfee. “You've got to have enough of the right trained people to do this. How do you get those people? That's a huge issue for everybody, not just in the military. Then, if you've got the trained people, how are they organized, how are they equipped, what are they supposed to be doing in their jobs? And that's something Cyber Command has to [decide] because before it was sort of left to the individual services to do what was best.”

Threats on the Move

Meanwhile, each of the services continues to move forward with its own cyber organizations, with the goal of supporting the new overall subcomponent command under the aegis of Strategic Command. The Air Force has officially formed the 24th Air Force, its “cyber-NAF” (numbered air force), and ground was broken Dec. 11 for the cyber operations center of the new 688th Information Operations Wing.

The Navy, for its part, is forming the 10th Fleet, which will be co-located with the Army Network Warfare Battalion and the Cyber Command at Fort Meade, Md. It is also moving to merge the roles of intelligence and communications under a new staff-level position, with its proposed 10th Fleet and a merged communications and network warfare role at the staff level with the assistant chief of naval operations for Information Dominance (N2/N6).

The Army activated the 704th Military Intelligence Brigade’s Army Network Warfare Battalion in June 2008.

But although the services push ahead in developing their own organizations, adversaries have been enhancing their capabilities as well.

“The tradecraft of the attackers has really advanced in the last few years,” said Thomas Fuhrman, senior vice president at Booz Allen Hamilton. “And they're also very agile. There’s a whole range of threats, but the threats that matter — where we see exfiltration, threats of compromising national security command and control systems — this comes from a very sophisticated adversary.” And based on what analysts see, he said, “They respond to fixes we implement very rapidly.”

In addition, Fuhrman said, there is the proliferation of tools that make it easier for adversaries to attack DOD and other networks — as evidenced by the Iraqi insurgents’ interception of Predator video. “So you expand the range of people who are in this space by the availability of the tools to the work.”

Bailing and Bailing

Part of the problem that DOD faces is that because cyber threats have evolved so quickly, information assurance specialists tend to be in a perpetual catch-up mode in dealing with holes as they’re discovered. “We're still in the mode of … bailing out the ship,” Fuhrman said. “But you bail and bail to no avail because the attacker is always getting better. So the question [becomes] how do we get ahead of this … so we're not always reacting?"

Fuhrman said a central problem is the tendency of information assurance to be viewed as a forensic science, discovering what has already happened: What data was lost; what has gotten onto the network; and were protective measures overcome?

“The question of how we get ahead is very relevant. The problem is, there's no easy answer because of the abilities of the adversary,” he said.

“In DOD, they call it the advanced persistent threat,” McAfee’s Conway said. “It’s advanced in that these are very complicated things being done by sophisticated people, and it’s persistent — and the rate is going up. There is a lot of data exfiltration that's going on and continues to go on. There are data loss prevention technologies that can stop that sort of thing, and that's something DOD can start to roll out now. I think they understand they have a problem, but fixing it is complicated because they're so big, diverse and widespread.”

In fact, DOD’s diversity of configurations remains its biggest information assurance Achilles' heel. Although the services move forward with initiatives to consolidate networks, such as the Navy’s Next Generation Enterprise Network (NGEN) and Consolidated Afloat Enterprise Networks and Enterprise Services (CANES) programs, the sheer magnitude of different configurations make it difficult to manage the risk to the entire GIG, Fuhrman said. “It's hard to enforce consistent configurations and manage those configurations,” he said. “When you have huge networks with such a diversity of platforms, it is very, very difficult to identify the right configurations and then constantly manage them. DOD is taking good measures to improve it, there are standards and components that are being deployed that continually monitor configuration, but this is an unsolved problem — it's very difficult to keep up with that.”

Just the task of delivering a response to a new virus threat creates a major challenge right now, said Steve Hawkins, Raytheon’s vice president of information security solutions. “If you're Cyber Command, you've got to find a way to find — maybe do an antivirus and a signature — for it and get that deployed over literally hundreds of thousands of desktops and laptops and servers,” he said. “I think the scale of the problem for coordinated solutions and the speed they need to detect and put out a defensive measure is their largest challenge, where you'll see them really push hard. The organizational challenge, that's one side of it; but that needs to be focused on facilitating an operation that moves very rapidly to fix problems that you find.’’

Broader Visibility

Finding the problems in the first place requires something that DOD doesn’t have: situational awareness over the entire GIG. “What that requires is a set of technologies that give them total situational awareness, so they can see what all's going on and in a matter of milliseconds be able to eradicate the offensive malware,” Hawkins said. “It's more challenging than ever to do that because with social engineering, just the acceptance of an e-mail by someone can allow malware into your system. You also have to be able to detect anomalous behavior within your own networks, be able to see it and stop it. There's a whole realm of technologies that are starting to emerge that will allow them to address that part.”

Situational awareness is the core of what the services are trying to create with cyber operations centers — an extension of the operations center model from more traditional warfighting combatant commands to the cyber realm. But just having situational awareness in a cyber operations center isn’t enough, Fuhrman said.

“We see cyber ops centers springing up all the time, and in principle, that's not a bad idea," Fuhrman said. "But the reality all too often is that we throw technology at the problem and say we're going to monitor the heck out of our networks. And the result is operators sitting around consoles 24/7 that indicate line upon line of anomalies that some centers are picking up, and the operators are trying to understand what that means. That's very rudimentary.”

Fuhrman said the next step is going beyond monitoring and moving to true command and control — and understanding how to apply situational awareness to the overall mission. “We need to advance the state of the art and recognize that this, like so many parts of information assurance, is a multidimensional problem. What are we trying to achieve in this ops center? What sort of decisions do we expect the op centers to make? How do those decisions relate to the mission? And how do we get the right tools in the hands of the operators so that they have the leverage to affect those decisions to cause things to happen?”

One role ops centers might best take on is deploying security patches and handling configuration management as an integrated part of network defense, Furhman said.

But another way to look at it would be for DOD and the Cyber Command to view the GIG as a weapons system, he said. “And that means being able to implement configuration control centrally. We don't have that today. It means being able to make decisions that are mission-related and informed by mission requirements but that effect network configuration — what ports are open, what nodes are made accessible or inaccessible.”

With most situational awareness existing at the level of the services’ individual networks, the Cyber Command would hopefully make collaboration across the services’ cyber operations a priority, said Adam Vincent, Layer 7 Technologies’ chief technology officer for the public sector.

“Coordinating cyber activities between NSA and services will be necessary for adequate cyber defense and response," Vincent said. "The need to share cyber-related information will be paramount, and the Cyber Command will need to put practices and solutions in place to adequately address this need. I hope to see social networking and collaboration technologies to enhance the ability to find relevant expertise and disseminate information within the Cyber Command, with the services and with external agencies.”

An emerging school of thought that many DOD cyber leaders have adopted during the past few years is moving from the idea of overall information assurance to a more focused goal of mission assurance — from a forensic approach of patching holes to more of a risk management model aimed at sustaining critical services to support DOD's mission.

“Security isn't the mission,” Conway said. “Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber” and make a decision on what risks are acceptable, he said.

To address an advanced persistent threat, mission assurance focuses on what it calls CIA: confidentiality, integrity and availability — the three aspects of the GIG that allow operators to conduct their missions. “Confidentiality means I can make sure I keep my secrets secret. Integrity means knowing I'm going to protect someone from getting inside my information systems and changing things. And availability means making sure there’s not a denial of service so I can’t use my information systems.”

Tools in Hand

DOD already has many of the technologies required to better manage these risk areas but for one reason or another has yet to deploy them. For example, although there’s been a great deal of energy expended on securing USBs in the wake of the 2008 malware attack on the GIG, data-at-rest protection has failed to be widely deployed. Although data-at-rest protection was supposed to be fully deployed by 2009, only a fraction of the services’ systems have a solution deployed, such as the Host-Based Security System, Conway said.

Data protection technology and insider threat protection are another area in which the technology is already available to help reduce the risk of confidential data loss or the undermining of data in critical information systems. With insider threats, “there's a fair amount of things that are going on across the defense and intelligence communities,” Raytheon’s Hawkins said. In August 2009, the Defense Information Systems Agency selected Raytheon’s insider threat management tool as the Insider Threat Focused Observation Tool for DOD, and Raytheon has been contracted to provide an enterprise license to DOD for the technology.

“They've proven the technology, and the technology is in wide use,” Hawkins said. “But they need to be in use across the entire enterprise to make them effective.

The Cyber Workforce Gap

Part of what might be causing DOD’s information assurance reach to exceed its grasp is what experts describe as a shortage of qualified information assurance professionals inside and outside the services and a huge unmet need for training. Workforce management across DOD will be a major issue for the new Cyber Command.

“A very important part of this is not just putting technology in place but being able to have some formalized training to allow people to use the tools,” Hawkins said. “We've had several recent retirees come to work for us, and they say one of the more frustrating things is they can get a lot of technology, but they have to be trained on how to use it."

Although the Cyber Command will draw on the services for capabilities, the new command will need to play a major role in driving how the services build their cyber ranks. “Information assurance is only as good as the person who's actually operating it,” Conway said. “Security tools need to be continually updated and adapted because the threat continues to update itself and adapt itself. It's a spy vs. spy game. You need to have a better spy at the end of the game.”

“The basic question of workforce is facing all of us,” Furhman said. “We as contractors are competing for the same talent pool as not only the other contractors but the government itself because the field of cyber warriors is very small.”

DOD is addressing the problem in part through DOD Directive 8750, which mandates that military personnel, civilian employees and government contractors be certified as information assurance professionals before they can have administrative access to DOD networks and systems. “We have to recognize that getting a certification doesn't necessarily give a person the right skills,” Fuhrman said. “Getting this framework in place is good. But the objective for the future has to be to continually raise that bar…and make sure that the cyber workforce really is a professional workforce with the right skills.”

inside gcn

Reader Comments

Fri, Jul 23, 2010
Susan Alders
Millington, TN

If Information Assurance is the key and the enfocement of such is extremely important to the defense-in-depth then the position of authority within ALL the services and their relative commands needs to be evaluated and assessed to ensure the IAM position has the level of authority within the Coomand to get the job done without the IT Ops management derailing requirements. Commands have NOT structured the Command IAM into a position of authority nor have they empowered them with the authority to ensure the Information Assurance compliance is implemented and maintained. To many times the IT Ops management will over ride the Command IAM’s authority and create an unsecure situation and or environment for the sake of putting something online or in production. It is the IT Ops management that has the last word as to what is actually being reported outside the command. This is a reality that MUST be reviewed.

Tue, Feb 9, 2010
femtobeam

If the mission is not security and forensics are patching, it is too late for both. The information China was after, they already have. The Quantum Leap now is to understand that software is not the issue, hardware is and the suppliers are China and their minions in Asia. Better to scrap all computer equipment now in a big dump heap, process all of the materials and build new hardware to get the spyware out of the hardware. Put the systems on a chip and replace the chips if necessary. Forget about playing the software game. It is already obsolete. The part about having a better spy is the right one, but they are not looking at programs, they are finding out where the mines are for Rare Earth Elements before the cutoff date. This article clearly points out that there is no defense and no offense for computer network systems, let alone brain interfaced ones. Consolidation into one system of old technology in an all optical future is like gathering the crops for the thief. They don't need to hack your computer if they can hack your brain. You better get with it before it's too late. Access to the computers was built in by the manufacturer. Buy American! Control of the Electromagnetic Spectrum is control of the World.

Mon, Feb 8, 2010
oh10101

Train, test, certify is as structured and flawed as security by obscurity. Without flexibility you are irrelevant to Technology Experience and Knowledge (TEK). IOW; DAU is a monolithic structure for validating real performance (Learn2Test) not actual ability (Do2Learn).
When I say "Open Source" to a CIO; who replies "Freeware, Shareware, malware", I am stressed about decisions selecting any standards, architecture, products....
When I say MMO gaming for learning, opencourseware, OKI... environments and local focus is on the word game, I am troubled about processes and objectives.
When I say knowledge management, InAgent, a/o BizInAgent and the common term Bot, someone thinks security problems....
I AGREE! “Security isn't the mission, Conway said. Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber and make a decision on what risks are acceptable, he said.”
It is all getting better, but intransigence is the mode, just like in 1986 when desktops (AppleII) started replacing terminals, then we had time for the non-thinking, nay-saying....

Tue, Feb 2, 2010

I agree wholeheartedly with the reader's comments on certifications.

Certifications use to be ok for the private sector - but all that really means, is that you know how to pass a test. Personally, when I hire technology specialists, they go through an exhaustive interview with multiple trusted technical folks already on staff to determine their knowledge and skills - not what there wall is papered with.

By relying on "wall paper" (certifications) you very likely prevent the hiring of the technical folks that you really are looking for. Many of the certification classes I have attended have been nothing more than slightly technical and used mainly as marketing for the companies "teaching" the classes.

Certifications should be talked about after the hiring process has been completed - oh, by the way I have. . .

Food for thought -

I know a particular private sector financial institution that broke the "certification ritual" and hired more than a dozen "known hackers" to "fix" there network and teach concepts to the rest of the IT staff - network breaches began to decline immediately -

None of these folks would even lower themselves to become "certified" - they laugh at certifications. . .

Sat, Jan 30, 2010

Why are you still relying on certifications when you already know the truth by making this statement "We have to recognize that getting a certification doesn't necessarily give a person the right skills". You have not realized yet that the real cyber warriors are the pale skinned geeks living in basements. These are the guys and gals who shun certifications and would barely pass any standardized tests because their brains are not wired for traditional thought. These are the people who could not function is any organized environment. These are the people who lack the personal skills to even get past your hiring department. Yet these are the people that can bring down a network in minutes. You want a solution you have to literally stop thinking inside your box and start thinking inside their box. Figure out a way to make these people comfortable so they can be available to work for you.